As the networks of today grow in complexity, Network Service Providers need a more efficient network management system to integrate traffic analysis information including Flows, SNMP polling, and BGP routing respects for operation and business decision-making. Moreover, increasingly-rampant deliberate attacks have seriously impacted and threaten the network service performance as well as the operation of information system.
GenieATM 6000, a flow-based solution to collect network-wide traffic for data mining and anomaly detection, is designed especially for carrier-grade network with high capacity and high performance. It automatically generates various pre-defined traffic reports and detects abnormal network behaviors, DoS/DDoS attacks, and unusual routings from interior or exterior networks; alerts will then be sent out to network operators for actions in time. Meanwhile, GenieATM 6000 also provides powerful Snapshot and Forensic tools which support the integration of 3rd-party devices to promptly intercept anomaly traffic.
Distributed Architecture with Centralized Control
With the distributed architecture design, GenieATM 6000 not only can easily collect large-scale network flows but also simplify system configuration management. In addition, GenieATM 6000 is flexible for phased equipment (GenieATM Collector) adjustments based on the need of network and traffic scale hence effectively reducing the total cost of ownership (TCO).
GenieATM 6000 equips with powerful Traffic Analysis Engine, which swiftly implements various classifications, statistics, and sorting operations, and generates various precise pre-defined traffic reports.
- Traffic Matrix Analysis between Sub-Networks and Neighbors.
- Using "Rule-based Traffic Analysis Mechanism" thru Factors and Filters, users can sieve out their interested flows for traffic analysis and monitoring as well as producing different kinds of Top-N reports
- Traffic Attribute Reports on Application, Protocol+Port, TOS Value, and Packet Size.
- With built-in intelligent network modeling, various pre-defined network flows (Home, Neighbor, Sub-Network, Backbone and Customer) can be accurately classified and relevant traffic reports will also be automatically generated
- Real-time TopN Ranking: Lists TopN ranks within any specified time duration. The built-in traffic aggregation engine enhances accuracy of traffic analysis for ISP high traffic volume environment.
- Multi-tenant event access: Allows various users to analyze and retrieve traffic reports of their own scoped traffic and events.
GenieATM 6000’s Anomaly Traffic Detection Engine detects malicious DDoS attacks or worm traffic by analyzing the IP header information of network flows. A particular detection scope can be focused to examine if network quality is threatened by any abnormal traffic. The supported network-wide anomaly detections include:
- Traffic Anomaly: monitors a specific detection scope for unexpectedly generated enormous traffic to identify unknown network attacks (Zero-Day Attacks).
- DDoS Attack Detection: detects Protocol-Misuse anomalies, such as TCP SYN Flooding, UDP Flooding, ICMP Flooding, and enumerates possible attackers, victims and affected hosts.
- Worm: detects known worms, such as Blaster, Sasser, Code Red, SQL Slammer, etc.
- Interface Anomaly: monitors device performances, interface throughput, bandwidth utilization, (CRC) error packets, discard packets, and Multicast + Broadcast packets.
- BGP Route Instability: detects unexpected BGP routing changes or excessively-frequent BGP update messages.
- Multi-tenant event access: Allows various users to view detection event data and trigger mitigation of attacks toward their own scoped traffic and events.
Traffic Snapshot is an on-line troubleshooting tool which inspects network traffic over current flows in cache or historical flows in raw data storage. Given the scope of network-wide troubleshooting, network administrators no longer have to trace problems by capturing and analyzing packets for each link. GenieATM not only offers powerful traffic filters with abundant analysis criteria for Traffic Snapshot, but also provides various aggregation methods to generate different real-time Top-N analyses.
Moreover, users could drill down into the suspicious traffic step by step, and locate attacking sources precisely. Meanwhile, the system could generate a set of ACL commands as a suggestion to network operators for anomaly mitigation.
GenieATM 6000 can send out real-time alarms and notifications to network operators once any anomaly traffic is detected as well as the handy tools below to assist network operators with real-time troubleshooting, forensic, retrospective analysis, etc. In addition, GenieATM supports the integration with traffic-cleaning devices or routing devices to directly cut off malicious attacking traffic thus protecting the backbone bandwidth.
- Alarm & Notification: the system will automatically generate daily traffic baseline and send out alerts and notifications through Email, SNMP Trap, or Syslog once anomaly events are detected.
- Snapshot: can be connected directly with online troubleshooting tools to locate problem points.
- Forensic: preserve anomaly traffic raw data for future analysis.
- Report Rebuild: based on the saved historical raw data, users can rebuild rule-based filter reports of a specific time period for past network behavior recall.
- Mitigation: using Black hole or Flowspec configuration, or integrating with traffic-cleaning devices (A10 TPS, Cisco Guard, F5 BIG-IP, Huawei AntiDDoS8000, Radware DefensePro, etc.), the system can directly terminate attacking traffic thus mitigate network-wide anomalies.
|GenieATM 6300||Controller with Collector embedded|
|GenieATM 6100||Flow Collector|
All the above models are available in Genie appliances and in software versions supporting virtual machines.